Re: New vyatta-nsp list

[Brent Jones <brent () servuhome net>]

On Tue, May 24, 2011 at 2:54 PM, Jon Bane <jon () nnbfn net> wrote:
> On Tue, May 24, 2011 at 5:26 PM, Brent Jones <brent () servuhome net> wrote:
> > Well, with the new Juniper entry level MX devices out now, the cost
> > difference between Vyatta and Juniper is probably insignificant now,
> > and with Juniper devices, you have much higher PPS rate.
> >
> > Granted, I have Vyatta devices now doing BGP, and they work fine, but
> > you can't argue that ASICs can forward much faster than a general
> > purpose CPU  :)
> >
> > To each their own
> >
> > --
> > Brent Jones
> > brent () servuhome net
> I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta
> isn't capable of high-end performance.
>
> http://download.intel.com/embedded/processor/solutionbrief/322973.pdf

The graphs show near 100% CPU usage at small packet sizes, and low
PPS. That would lead to a pretty easy to launch DDoS against a
software based router platform.
Since there isn't a separation between control plane/forwarding plane,
an attacker could trivially take you offline. I'd imagine due to the
nature of x86 platform, being interrupt based and forwarding table
residing in memory the CPU has to access, theres a finite amount you
can scale this without risking big disruptions from a relatively small
DDoS.

Not saying software platforms can't achieve good throughput, there has
to be a realization of the limits of the platform, and when it
shouldn't be used.
Again, I personally use the Vyatta commercial software, and it works
great, so I'm not knocking it. But I wouldn't consider it high-end
performance when a few million PPS can lead to service disruptions.

-- 
Brent Jones
brent () servuhome net